svchost CPU 100% Vyřešeno

[slama]

Hlášení kontroly
Čtvrtek, Březen 18, 2010 23:56:50 - 01:15:38

Název počítače: MAREKZAVADIL
Typ kontroly: Kontrolovat systém na přítomnost malwaru, spywaru a programů rootkit
Cíl: C:\
Nalezený malware: 12
TrackingCookie.Questionmarket (spyware)

* Systém (Vyléčeno)

TrackingCookie.2o7 (spyware)

* Systém (Vyléčeno)

TrackingCookie.Atdmt (spyware)

* Systém (Vyléčeno)

TrackingCookie.Doubleclick (spyware)

* Systém (Vyléčeno)

TrackingCookie.Yieldmanager (spyware)

* Systém (Vyléčeno)

Trojan.Agent.BAT.H (virus)

* C:\WINDOWS.2\SYSTEM32\FJHDYFHSN.BAT (Přejmenováno & Odesláno)

Trojan.Agent.BAT.H (virus)

* C:\WINDOWS.0\SYSTEM32\FJHDYFHSN.BAT (Přejmenováno & Odesláno)

Gen:Rootkit.Nixoa.1 (virus)

* C:\WINDOWS.0\SYSTEM32\DRIVERS\LENWF.SYS (Přejmenováno & Odesláno)

Trojan.Agent.BAT.H (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{F3A1BDB6-0B6E-44F8-AAAB-46231D803F77}\RP9\A0004384.BAT (Přejmenováno & Odesláno)

Trojan.Agent.BAT.H (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{DA74249C-6507-4367-8F00-D64DAC3D67E1}\RP43\A0060655.BAT (Přejmenováno & Odesláno)

Suspicious:W32/Malware!Gemini (virus)

* C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA20C327-AF20-4678-96DB-4451983B8FBD}\RP8\A0000981.EXE (Nevyčištěno)

Suspicious:W32/Malware!Gemini (virus)

* C:\PROGRAM FILES\WARCRAFT 3\W3GMASTER.EXE (Nevyčištěno & Odesláno)

Statistika
Kontrolováno:

* Soubory: 50434
* Systém: 2468
* Nekontrolováno: 8

Akce:

* Vyléčeno: 5
* Přejmenováno: 5
* Odstraněno: 0
* Nevyčištěno: 2
* Odesláno: 6

Nekontrolované soubory:

* C:\PAGEFILE.SYS
* C:\WINDOWS.1\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS.1\SYSTEM32\CONFIG\SAM
* C:\WINDOWS.1\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS.1\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS.1\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\MAREK ZAVADIL.MAREKZAVADIL\LOCAL SETTINGS\TEMP\HSPERFDATA_MAREK ZAVADIL\1272
* C:\DOCUMENTS AND SETTINGS\MAREK ZAVADIL.MAREKZAVADIL\LOCAL SETTINGS\TEMP\HSPERFDATA_MAREK ZAVADIL\756

Možnosti
Moduly kontroly:

Možnosti kontroly:

* Kontrolovat určené soubory: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Používat pokročilou heuristiku

[Reklama]

[Damned]

Vypni si Body obnovení systému, a po chvíli si je znovu zapni.

Vypni antivir a pokud máš i Antispyware a odinstaluj ComboFix ( nutné ) .
ComboFix se odinstaluje takto:
Start-Spustit a zadej: Combofix[mezera]/uninstall

Stáhni si T-Cleaner ( nutné - smaže vše po Combu,SDFixu,Avengeru,MWAVu atd.-stáhneš->spustíš)

(pozn.Pokud máš AVG nebo Aviru, před stažením T-Cleaneru a po dobu čištění deaktivuj AVG i Aviru (i rezidenty), následně T-Cleaner smaž a zapni si AVG, Aviru.)
*****************************************************************************************************************************************
Stáhni si OTL na Plochu.
Ujisti se , že máš zavřena všechna ostatní okna a poklepej na ikonu OTL.Nahoře v okně pod Output klikni na minimal Output.Pod Standard Registry změň na All. Zatrhni LOP Check a Purity Check. File age změň na 14 days. Všechny ostatní nastavení ponech jak jsou. Klikni na Run Scan. Sken může trvat dlouho, až skončí otevřou se dva logy:
OTL.Txt
Extras.Txt
Jsou uloženy ve stejném místě jako OTL. Oba logy sem prosím zkopíruj

[slama]

tady je Extras!!!________

OTL Extras logfile created on: 18.3.2010 2:03:17 - Run 1
OTL by OldTimer - Version 3.1.37.2 Folder = C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Plocha
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000405 | Country: Česká republika | Language: CSY | Date Format: d.M.yyyy

511,00 Mb Total Physical Memory | 314,00 Mb Available Physical Memory | 61,00% Memory free
1,00 Gb Paging File | 1,00 Gb Available in Paging File | 87,00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS.1 | %ProgramFiles% = C:\Program Files
Drive C: | 149,04 Gb Total Space | 85,15 Gb Free Space | 57,13% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: MAREKZAVADIL
Current User Name: Marek Zavadil
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 14 Days
Output = Minimal

========== Extra Registry (All) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS.1\hh.exe (Microsoft Corporation)
.cpl [@ = cplfile] -- C:\WINDOWS.1\System32\shell32.dll (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\WINDOWS.1\System32\winhlp32.exe (Microsoft Corporation)
.hta [@ = htafile] -- C:\WINDOWS.1\System32\mshta.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)
.inf [@ = inffile] -- C:\WINDOWS.1\System32\NOTEPAD.EXE (Microsoft Corporation)
.ini [@ = inifile] -- C:\WINDOWS.1\System32\NOTEPAD.EXE (Microsoft Corporation)
.url [@ = InternetShortcut] -- C:\WINDOWS.1\System32\ieframe.dll (Microsoft Corporation)
.js [@ = JSFile] -- C:\WINDOWS.1\System32\WScript.exe (Microsoft Corporation)
.jse [@ = JSEFile] -- C:\WINDOWS.1\System32\WScript.exe (Microsoft Corporation)
.reg [@ = regfile] -- C:\WINDOWS.1\regedit.exe (Microsoft Corporation)
.txt [@ = txtfile] -- C:\WINDOWS.1\System32\NOTEPAD.EXE (Microsoft Corporation)
.vbe [@ = VBEFile] -- C:\WINDOWS.1\System32\WScript.exe (Microsoft Corporation)
.vbs [@ = VBSFile] -- C:\WINDOWS.1\System32\WScript.exe (Microsoft Corporation)
.wsf [@ = WSFFile] -- C:\WINDOWS.1\System32\WScript.exe (Microsoft Corporation)
.wsh [@ = WSHFile] -- C:\WINDOWS.1\System32\WScript.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -- "%1" %*
batfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [edit] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %*
cmdfile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
comfile [open] -- "%1" %*
cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- winhlp32.exe %1 (Microsoft Corporation)
hlpfile [open] -- %SystemRoot%\System32\winhlp32.exe %1 (Microsoft Corporation)
htafile [open] -- C:\WINDOWS.1\system32\mshta.exe "%1" %* (Microsoft Corporation)
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
inifile [open] -- %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -- %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
InternetShortcut [open] -- rundll32.exe ieframe.dll,OpenURL %l (Microsoft Corporation)
InternetShortcut [print] -- rundll32.exe C:\WINDOWS.1\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)
jsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
jsefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [edit] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -- regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -- Reg Error: Key error.
regfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
txtfile [open] -- %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -- %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -- %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)
vbefile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
vbsfile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wsffile [edit] -- %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -- %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)
wshfile [open] -- %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" = %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019 -- (Microsoft Corporation)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}" = HiJackThis
"{26A24AE4-039D-4CA4-87B4-2F83216018FF}" = Java(TM) 6 Update 18
"{350C9405-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{7E20EFE6-E604-48C6-8B39-BA4742F2CDB4}" = Zune Desktop Theme
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"7-Zip" = 7-Zip 4.64
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"CCleaner" = CCleaner (remove only)
"DVD Decrypter" = DVD Decrypter (Remove Only)
"KLiteCodecPack_is1" = K-Lite Mega Codec Pack 3.9.5
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.0.5)" = Mozilla Firefox (3.0.5)
"Mozilla Thunderbird (2.0.0.18)" = Mozilla Thunderbird (2.0.0.18)
"WinRAR archiver" = WinRAR

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 16.3.2010 9:04:23 | Computer Name = MAREKZAVADIL | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

Error - 17.3.2010 18:50:01 | Computer Name = MAREKZAVADIL | Source = PerfNet | ID = 2004
Description = Nelze otevřít službu serveru. Data o výkonu serveru nejsou k dispozici.
Vrácený chybový kód je v datech DWORD 0.

[ System Events ]
Error - 17.3.2010 16:37:37 | Computer Name = MAREKZAVADIL | Source = Cdrom | ID = 262151
Description = Zařízení \Device\CdRom0 má chybný blok.

Error - 17.3.2010 16:37:43 | Computer Name = MAREKZAVADIL | Source = Cdrom | ID = 262151
Description = Zařízení \Device\CdRom0 má chybný blok.

Error - 17.3.2010 16:59:08 | Computer Name = MAREKZAVADIL | Source = Service Control Manager | ID = 7001
Description = Služba Prohledávání počítačů závisí na službě Server, která neuspěla
při spuštění v důsledku následující chyby: %%1058

Error - 17.3.2010 16:59:09 | Computer Name = MAREKZAVADIL | Source = Service Control Manager | ID = 7026
Description = Zavedení následujícího ovladače pro spouštění počítače nebo systému
se nezdařilo: IntelIde

Error - 17.3.2010 16:59:14 | Computer Name = MAREKZAVADIL | Source = sr | ID = 1
Description = Filtr nástroje Obnovení systému zjistil neočekávanou chybu 0xC0000001
při zpracování souboru na svazku HarddiskVolume1. Sledování svazku bylo ukončeno.


Error - 17.3.2010 17:05:56 | Computer Name = MAREKZAVADIL | Source = Service Control Manager | ID = 7001
Description = Služba Prohledávání počítačů závisí na službě Server, která neuspěla
při spuštění v důsledku následující chyby: %%1058

Error - 17.3.2010 17:52:52 | Computer Name = MAREKZAVADIL | Source = PlugPlayManager | ID = 11
Description = Zařízení Root\LEGACY_GJAZJC\0000 se již v systému nenachází, přestože
nebylo nejdříve připraveno k odebrání.

Error - 17.3.2010 17:58:51 | Computer Name = MAREKZAVADIL | Source = Service Control Manager | ID = 7001
Description = Služba Prohledávání počítačů závisí na službě Server, která neuspěla
při spuštění v důsledku následující chyby: %%1058

Error - 17.3.2010 19:01:48 | Computer Name = MAREKZAVADIL | Source = Service Control Manager | ID = 7000
Description = Služba F-Secure BlackLight Engine Driver neuspěla při spuštění v důsledku
následující chyby: %%31

Error - 17.3.2010 20:58:01 | Computer Name = MAREKZAVADIL | Source = Service Control Manager | ID = 7001
Description = Služba Prohledávání počítačů závisí na službě Server, která neuspěla
při spuštění v důsledku následující chyby: %%1058


< End of report >

[Damned]

Poklepej na ikonu OTL na ploše.Ujisti se , že máš všechny ostatní aplikace a prohlížeče zavřeny.
Pod Custom Scans/Fixes do okénka vlož následující text, zobrazený zeleně:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
FF - prefs.js..browser.search.selectedEngine: "DAEMON Search"
FF - prefs.js..extensions.enabledItems: DTToolbar@toolbarnet.com:1.1.1.0014
2010.03.18 01:17:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\extensions
[2010.03.16 14:21:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\extensions\DTToolbar@toolbarnet.com
[2010.03.16 14:21:33 | 000,000,523 | ---- | M] () -- C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\searchplugins\daemon-search.xml
O3 - HKCU\..\Toolbar\WebBrowser: (DAEMON Tools Toolbar) - {32099AAC-C132-4136-9E9A-4E364A424E17} - C:\Program Files\DAEMON Tools Toolbar\DTToolbar.dll File not found
O4 - HKLM..\Run: [combofix] C:\ComboFix\CF25593.cfx File not found
O28 - HKLM ShellExecuteHooks: {AEB6717E-7E19-11d0-97EE-00C04FD91972} - Reg Error: Key error. File not found

:Files
C:\WINDOWS.1\*.tmp
C:\WINDOWS.1\System32\*.tmp
C:\WINDOWS\*.tmp
C:\WINDOWS\System32\*.tmp
C:\WINDOWS\system32\*.tmp.dll
C:\WINDOWS\system32\SET*.tmp
C:\Recycler
C:\$RECYCLE.BIN
C:\Documents and Settings\NetworkService\Data aplikací\rbuwzv.dat
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\ESET
C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Plocha\fix.reg
c:\documents and settings\Marek Zavadil.MAREKZAVADIL.000\wuaucldt.exe
C:\Windows\tasks\SA.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA20C327-AF20-4678-96DB-4451983B8FBD}\RP8\A0000981.EXE
C:\PROGRAM FILES\WARCRAFT 3\W3GMASTER.EXE

:Reg
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"=-

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]


Poté klikni nahoře na Run Fix. Nech program nerušeně běžet, na konci se provede restart PC.
Po restartu se objeví log , prosím zkopíruj sem celý jeho obsah.

[slama]

========== OTL ==========
Process explorer.exe killed successfully!
Prefs.js: "DAEMON Search" removed from browser.search.selectedEngine
Prefs.js: DTToolbar@toolbarnet.com:1.1.1.0014 removed from extensions.enabledItems
C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\extensions\DTToolbar@toolbarnet.com\components\Resources folder moved successfully.
C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\extensions\DTToolbar@toolbarnet.com\components folder moved successfully.
C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\extensions\DTToolbar@toolbarnet.com\chrome folder moved successfully.
C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\extensions\DTToolbar@toolbarnet.com folder moved successfully.
C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\searchplugins\daemon-search.xml moved successfully.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\combofix deleted successfully.

OTL by OldTimer - Version 3.1.37.2 log created on 03182010_105747

[Damned]

To si určitě nezkopíroval celé. Buď si nezkopíroval celý skript, nebo si nezkopíroval celý log. Zkontroluj to prosím

[slama]

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
Prefs.js: "DAEMON Search" removed from browser.search.selectedEngine
Prefs.js: DTToolbar@toolbarnet.com:1.1.1.0014 removed from extensions.enabledItems
Folder C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\extensions\DTToolbar@toolbarnet.com\ not found.
File C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Data aplikací\Mozilla\Firefox\Profiles\nl0xdfdy.default\searchplugins\daemon-search.xml not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{32099AAC-C132-4136-9E9A-4E364A424E17} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32099AAC-C132-4136-9E9A-4E364A424E17}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\combofix not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{AEB6717E-7E19-11d0-97EE-00C04FD91972} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AEB6717E-7E19-11d0-97EE-00C04FD91972}\ not found.
========== FILES ==========
C:\WINDOWS.1\SET3.tmp moved successfully.
C:\WINDOWS.1\SET4.tmp moved successfully.
C:\WINDOWS.1\SET8.tmp moved successfully.
C:\WINDOWS.1\System32\CONFIG.TMP moved successfully.
C:\WINDOWS\SET3.tmp moved successfully.
C:\WINDOWS\SET4.tmp moved successfully.
C:\WINDOWS\SET8.tmp moved successfully.
C:\WINDOWS\System32\CONFIG.TMP moved successfully.
File\Folder C:\WINDOWS\system32\*.tmp.dll not found.
File\Folder C:\WINDOWS\system32\SET*.tmp not found.
C:\RECYCLER\S-1-5-21-1085031214-1844823847-1417001333-1003 folder moved successfully.
C:\RECYCLER folder moved successfully.
File\Folder C:\$RECYCLE.BIN not found.
C:\Documents and Settings\NetworkService\Data aplikací\rbuwzv.dat moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\ESET\ESET NOD32 Antivirus\Quarantine folder moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\ESET\ESET NOD32 Antivirus folder moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Data aplikací\ESET folder moved successfully.
C:\Documents and Settings\Marek Zavadil.MAREKZAVADIL\Plocha\fix.reg moved successfully.
c:\documents and settings\Marek Zavadil.MAREKZAVADIL.000\wuaucldt.exe moved successfully.
File\Folder C:\Windows\tasks\SA.DAT not found.
C:\SYSTEM VOLUME INFORMATION\_RESTORE{BA20C327-AF20-4678-96DB-4451983B8FBD}\RP8\A0000981.exe moved successfully.
C:\PROGRAM FILES\WARCRAFT 3\W3GMaster.exe moved successfully.
========== REGISTRY ==========
Registry key HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: All Users.WINDOWS

User: All Users.WINDOWS.1

User: All Users.WINDOWS.2

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User.WINDOWS
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User.WINDOWS.1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User.WINDOWS.2
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: LocalService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Marek Zavadil
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 203890 bytes
->Java cache emptied: 930319 bytes
->FireFox cache emptied: 44572752 bytes
->Flash cache emptied: 25310 bytes

User: Marek Zavadil.MAREKZAVADIL
->Temp folder emptied: 466282603 bytes
->Temporary Internet Files folder emptied: 932266 bytes
->Java cache emptied: 30601 bytes
->FireFox cache emptied: 46161925 bytes
->Flash cache emptied: 2038 bytes

User: Marek Zavadil.MAREKZAVADIL.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 44776060 bytes
->Flash cache emptied: 2811 bytes

User: MAREKZ~1~000

User: MAREKZ~1~MAR

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 696572 bytes

User: NetworkService.NT AUTHORITY
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: NetworkService.NT AUTHORITY.000
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 16384 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 577,00 mb


[EMPTYFLASH]

User: All Users

User: All Users.WINDOWS

User: All Users.WINDOWS.1

User: All Users.WINDOWS.2

User: Default User

User: Default User.WINDOWS

User: Default User.WINDOWS.1

User: Default User.WINDOWS.2

User: LocalService

User: LocalService.NT AUTHORITY

User: LocalService.NT AUTHORITY.000

User: Marek Zavadil
->Flash cache emptied: 0 bytes

User: Marek Zavadil.MAREKZAVADIL
->Flash cache emptied: 0 bytes

User: Marek Zavadil.MAREKZAVADIL.000
->Flash cache emptied: 0 bytes

User: MAREKZ~1~000

User: MAREKZ~1~MAR

User: NetworkService

User: NetworkService.NT AUTHORITY

User: NetworkService.NT AUTHORITY.000

Total Flash Files Cleaned = 0,00 mb


OTL by OldTimer - Version 3.1.37.2 log created on 03182010_113339

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Damned]

Proč tam máš takhle gulášovitě nainstalován Windows? Nebylo by lepší naformátovat a nainstalovat jednu instalaci?

Smaž složku C:\_OTL a vysyp Koš.

Stáhni si ToolsCleaner2 (by de A.Rothstein & Dj Quiou) na Plochu a spusť ho.

Klikni na Pt. Restauration (obnova) a poté na OK.
Klikni na Corbeille (koš) a poté na OK.
Klikni na Fichiers temp (temp složky) a poté na OK.
Klikni na Recherche (hledání) a nech Cleaner pracovat. Může se během čištění zastavit , ale nech ho pokračovat.
Když program skončí , klikni na Suppression (odstranění) a odstraň nalezené.
Zavři a smaž program.
*****************************************************************************************************************************************
Stáhni si SystemLook nebo: SystemLook na Plochu.
Spusť ho a do políčka vlož tento text:

Kód: Vybrat vše

:filefind
*wuaucldt*

*rbuwzv*


A zmáčkni "Look". Po kontrole se ti na Ploše objeví SystemLook.txt. Zkopíruj ho sem.

[slama]

Protoze reinstalace win resila docastne muj problem se schvostem,,a ted bych potreboval poradit jak mohu ty ostatni instalace win odstranit____


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 12:06 on 18/03/2010 by Marek Zavadil (Administrator - Elevation successful)

========== filefind ==========

Searching for "*wuaucldt*"
C:\WINDOWS.2\system32\wuaucldt.exe --a--- 51807 bytes [10:41 17/03/2010] [10:41 17/03/2010] 30856688227ECA28D3D16210F907C9CC

Searching for "*rbuwzv*"
No files found.

-=End Of File=-

[Damned]

Problém s hlavním systémovým procesem způsobila absence antiviru a přítomnost nejméně 2 rootkitů a cca 10 malware (asi ti tam hráli kuželky). Tomu jen "opravná instalace" bez formátu nepomůže, jen se vytvoří nová složka Windows a přepíše se registr. Starší složky Windows v PC zůstanou a zabírají místo, a viry zůstanou. Po vyčištění bych tedy spíše doporučil si zazálohovat soukromá data (od fotek a videí, textů, různých prací,hesel a klíčů až po seznam instalovaných programů)-určitě nezálohovat cracky, keygeny a podobné- a provést novou instalaci Windows,ale provést formát disku, tak aby nová instalace šla na opravdu čistý disk.

Vypni si zas Body obnovení a po chvíli si je opět zapni (musíme odstranit ještě toho trojana).

Poklepej na ikonu OTL na ploše.Ujisti se , že máš všechny ostatní aplikace a prohlížeče zavřeny.
Pod Custom Scans/Fixes do okénka vlož následující text, zobrazený zeleně:

Kód: Vybrat vše

:OTL
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)

:Files
C:\WINDOWS.2\system32\wuaucldt.exe
C:\WINDOWS.1\*.tmp
C:\WINDOWS.1\System32\*.tmp
C:\WINDOWS\*.tmp
C:\WINDOWS\System32\*.tmp
C:\WINDOWS\system32\*.tmp.dll
C:\WINDOWS\system32\SET*.tmp
C:\Recycler
C:\$RECYCLE.BIN

:Reg

:Commands
[purity]
[emptytemp]
[emptyflash]
[start explorer]
[Reboot]

Poté klikni nahoře na Run Fix. Nech program nerušeně běžet, na konci se provede restart PC.
Po restartu se objeví log , prosím zkopíruj sem celý jeho obsah.

[slama]

All processes killed
========== OTL ==========
No active process named explorer.exe was found!
File rity] not found.
File ptytemp] not found.
File ptyflash] not found.
File art explorer] not found.
File boot] not found.

OTL by OldTimer - Version 3.1.37.2 log created on 03182010_122530

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

[Damned]

File rity] not found.
File ptytemp] not found.
File ptyflash] not found.
File art explorer] not found.
File boot] not found.

Špatně si to zkopíroval, ještě jednou a zkontroluj zda jsou řádky psané přesně od levého kraje okýnka. Nesmí tam být mezírka někdy ty mezírky nejsou vidět - pak OTL neprovede přesně skript.